0 Replies Latest reply on Nov 13, 2013 12:05 PM by Sebastiao Santos

    JAAS security with JMS Queues and remote client

    Sebastiao Santos Newbie

      Hi Guys,

       

      I think I'm losing concepts about security and sending messages to a queue from a remote java client.

       

      In my server, I use some realms to authenticate users like:

       

                  <security-realm name="ManagementRealm">

                      <authentication>

                          <local default-user="$local"/>

                          <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

                  </security-realm>

                  <security-realm name="ApplicationRealm">

                      <authentication>

                          <jaas name="myJaasSecurityDomain"/>

                      </authentication>

                  </security-realm>

       

      My ApplicationRealm is securing my web apps using a LoginModule with "code" database  and it's all ok. My ManagementRealm is protecting something like my native-interface and http-interface.

       

      I've deploied an queue with jndi "queue/PingQueue" and its respective remote name "java:jboss/exported/queue/PingQueue" in my standalone-full.xml and I want to send a message from an remote java client for learning purposes.

       

      First problem: to do JNDI lookup of ConnectionFactory and Queue, I can only use ManagementRealm on the remoting subsystem as:

              <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                  <connector name="remoting-connector" socket-binding="remoting" security-realm="ManagementRealm"/>

              </subsystem>

       

      In this way, I can do JNDI lookup of ConnectionFactories and Queues using username/password that are registered on the mgmt-users.properties, but, if I change the security-realm of the connector to  ApplicationRealm, I can't do lookup using username/password that exists on ApplicationRealm.

       

      Second problem: to create connection factories using 'connectionFactory.createConnection("username", "password")'  I'm only able to use ApplicationRealm.

       

      When I try to send message to a queue, Hornet says me that "...myUser doesn't have permission='SEND' on address jms.queue.queuePingQueue".

       

      Question 1: Can I use ApplicationRealm to secure my remoting subsystem or am I doing this wrong ? To use ApplicationRealm I need to transform my username/password with something like JaasCallbackHandler or Hash MD5 or other ?

       

      Question 2: How can I fix the Queue security so I can put messages on that queue/PingQueue  ?

       

      Question 3: Is my setup ok ? My standalone-full.xml has some design problems ?

       

      Below some code I'm using outside container, from my java cliente. I'm using jboss-client.jar as library and JBoss 7.1.3. I'm running my cliente from Eclipse with JBoss Tools.

       

      Thanks in advance,

       

      ----------------------------------

                  final Properties env = new Properties();

                  env.put(Context.INITIAL_CONTEXT_FACTORY, INITIAL_CONTEXT_FACTORY);

                  env.put(Context.PROVIDER_URL, System.getProperty(Context.PROVIDER_URL, PROVIDER_URL));

                  env.put(Context.SECURITY_PRINCIPAL, System.getProperty("username", DEFAULT_USERNAME));

                  env.put(Context.SECURITY_CREDENTIALS, System.getProperty("password", DEFAULT_PASSWORD));

                  context = new InitialContext(env);


                  connectionFactory = (ConnectionFactory) context.lookup("jms/RemoteConnectionFactory");

                  destination = (Destination) context.lookup("queue/PingQueue");

                  connection = connectionFactory.createConnection("myUser", "myPassword");

                  session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);

                  producer = session.createProducer(destination);

                ...

                      message = session.createTextMessage(content);

                      producer.send(message);

                ...